RPost´s main responsibilities as a data processor are to provide for the confidentiality, integrity, availability, and resilience of systems and services that process personal data.
This document outlines the technical and organizational measures that RPost has implemented to comply with legal and contractual obligations while processing personal data. These measures apply to all data processing activities that are within the control of RPost.
Access Control
Access rights to IT systems, data and physical buildings are provided following the need-to-know, least privilege and role-based segregation principles, employees and third-party users are only granted the level of access strictly necessary to perform their activities.
Access rights are reviewed regularly and those that are no longer required are withdrawn periodically.
User access logging mechanisms are in place, both for the RPost applications and for internal systems.
Data of a client´s instance is logically isolated from data of other customers at a database level.
Physical access control
Physical secure areas are defined based on information security and data protection requirements. These areas are safeguarded against unauthorized access using appropriate physical security measures, such as personalized access media, video surveillance, and alarm systems.
To prevent unauthorized persons from accessing security areas, procedures are in place to manage visitors and deliveries.
All regular RPost employees are issued a key to gain access to office working environment facilities. All lost or stolen keys must be reported to one’s supervisor as soon as possible. These keys do not provide access to any secure rooms, server rooms, or production service operational facilities.
Upon separation from RPost, and at any other time upon RPost’s request, all keys must be returned to the supervisor.
Logical Access Control to Processing Systems
All data processing systems, information systems, applications and databases are password protected following policies that enforce the use of complex passwords.
Passwords must be periodically updated and changed whenever there is an indication that the password has been compromised.
Access to production environments and data is logged and restricted to selected designated technology resources, and production and non-production environments are logically separated.
Access to information is provided considering the need-to-know principle. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives. Approvals are managed by workflow tools that maintain audit records of changes.
Special procedures are in place for granting access rights to privileged systems. Two-factor authentication is required for elevated and privileged access to all critical systems, this includes Developer, QA, Preview/Staging and Production environments. In summary:
To maintain information security, it is mandatory to lock computers (screen lock - password protected) when leaving the workplace. The screen lock must be set-up to be automatically activated after a short duration of inactivity.
User Activity Control
Employees must be periodically provided with basic information security and data privacy training by attending weekly RStaff training sessions. Training is also part of new hire orientation. Attendance in these RStaff training sessions are tracked per team member. These weekly meetings provide advice and training on security concepts.
User activities, including logon attempts to data processing IT systems, are logged.
Administrative activities on IT systems, such as configuration changes, are logged.
Configuration files are regularly backed up, checked, and a history is kept.
Segregation Control
Multitenant systems are used, or systems are physically or logically separated to ensure that personal data collected for different purposes are not mixed in their processing.
Data Carrier and Mobile Device Control
No client personal data is transmitted, in the course of normal business, to be stored on smartphones or USB sticks, and if any transmission to such is required, it is required to be transmitted securely.
System electronic storage media that are no longer required will be securely disposed of or destroyed in a way that makes it impossible to retrieve or access the stored data.
Pseudonymization and Anonymization
Pseudonymization or anonymization is applied to personal data to the extent necessary or at the option of the user.
In development environments used for testing purposes, data is anonymized or pseudonymized wherever possible.
Data analyzed to generate usage statistics is anonymized to protect the privacy of the data subjects.
Transfer and Dissemination Control
RPost systems are built to protect personal data and to secure transfer of data.
Data in transit that is designated to be sent securely is protected using RSA-AES256, PDF-AES256 or TLS encryption. All system stored data is encrypted at rest. The storage volumes are encrypted at block level using AES-256 in a manner consistent with NIST 800-57 and with FIPS 140-2 approved algorithms.
Two-factor authentication is required for elevated and privileged access to all critical systems and environments. Access is only granted to authorized people using VPN connections.
Mechanisms for securing data transfer, for monitoring and for logging activities in networks have been established to the required extent.
Systems are protected from malicious and vulnerable sites. Network and systems follow CIS hardening benchmarks, only certain systems have access to internet while the rest of the systems can only access internal systems. Firewalls and intrusion detection and prevention systems (IDS / IPS) are in place.
To minimize the risk of data breaches, paper printouts and exports of confidential data are avoided whenever possible.
Electronic data exports that are no longer required are deleted from the respective storage locations.
Input Control
Mechanisms for subsequent verification of who performed data entry, changes, or delete operations are in place to the required extent. Log information is stored securely and protected from tampering, ensuring the integrity of the information.
Availability Control, Resilience and Recoverability
A Disaster Recovery and Business Continuity plan is in place and defines measures intended to ensure that personal data is protected against accidental destruction or loss. It is based on a redundant design of communication, data processing systems and supporting facilities, including failover, data replication, load balancing and periodic backups. Additionally, the datacenters that host the RPost infrastructure follow the best industry standards when it comes to hardening and physical protection, high-availability internet connection, redundancy of storage, power and network.
The Disaster Recovery and Business Continuity plan is periodically reviewed, both internally and by external vendors upon request.
Appropriate virus protection is in place related to email communications services.
Job Control and Subcontracting
When selecting subcontractors, a main objective is to minimize the risk of non-compliance with data protection objectives. The selection follows a well stablished vendor qualification and management process designed to include, between other key points, a thorough evaluation of potential subcontractors' technical and organizational measures to ensure they are capable of safeguarding personal data to the required standard. The subcontractors are also required to comply with the data protection policies and regulations in force.
Review, Assessment and Evaluation
Periodically assessments are in place on IT systems for potential technical vulnerabilities or errors. Once identified, appropriate measures are taken in a timely manner to mitigate them, this includes deploying critical patches for both operating systems and software applications.
Platform and technology upgrades are periodically performed by reviewing used third party software and assuring the most recent, stable, and secure versions are installed.
All changes and configurations updates are properly documented, reviewed, approved after impact analysis, applied in test environments first, tested to ensure that they are functioning properly, and finally rolled out to production systems.
Internal and external reviews of system, processes, IT security, data protection, and controls, are in place.